Click to edit Master subtitle style 

Stamp Out Hash Corruption 
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What's inside? 



Windows Hash Extraction 

Story of What We Found 

Windows Hash Extraction Mechanics 

A Different Approach 

Why Are All the Tools Broken? 

Demo 

Patches 
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fcet*s tafk about 
hashes!!! 
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Goals of Getting Hashes 



Privilege Escalation 
Password Analysis 
Forensics Investigations 
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Windows Password Hashes 



Two Types of Hashes: 

LM (Lan Manager) 
Old Hashing Algorithm w/ Security Flaws 

■ Case insensitivity, Broken into 2 Components 
NTLM (NT Lan Manager) 

■ Newer Hashing Algorithm w/ Security Flaws 
Not salted, but is case sensitive 
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Windows Password Hashes 



Two Methods to Get Hashes: 

Injection via LSASS 

■ Reads hashes from memory 
■ Registry Reading via SAM/SYSTEM 
Reads hashes from local registry hives 
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Story Time 
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Failed Attempt 1 



Social Engineering Engagement 
Gained Physical Access 
Dumped Hashes on a Bank Workstation 

Failed to Crack 
John the Ripper 
Rainbow Tables 
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Failed Attempt 2 



Internal Penetration Assessment 

Popped a Shell via Missing Patch 
■ Dumped Hashes on System 

■ Fail to Crack 

Rainbow Tables (via all LM Space & French) 
Pass the Hash (PTH) 
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Example Hashes 



Via Registry (Metasploit) 

LM: 450oa2ii5ce8e23a99303f76oba6cc96 
NTLM: 5Cobdi65cea577e98fa923o8f996cf45 

Via Injection (PwDump6) 
LM: aad3b435b5i404eeaad3b435b5i404ee 
NTLM: 5fibec25dd42d4ii83dof45obf9bid6b 
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Metasploit Framework 



Overview Activity Roadmap Issues Wiki Repository 



Bug #4402 



Hashdumn scrint/oost module breaks with oasswords areaterthan 14 

When using "run hastiduirip" or the pes t/ windows /gat her /h as hduinp 
module on a windows 200 8 server with a password of l arger than 14 
characters, I the hash that is returned is incorrect- 1 
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Where Do Hashes 
Live? 
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Where Do Hashes Live? 



HKLM\SAM 

■ Store security information for each user (including 
hash data) 

HKLM\SYSTEM 

Stores the SYSKEY ("salts" the SAM information 
for security purposes) 
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What The Registry Looks Like 



HKLM\SAM\SAM\domains\account\users\ 
Users: oooooiF^., ..lFs, etc. 

Name Type Data 

■"'(Default) REG_£Z (value not set) 

F REG.BINARY 02 00 01 00 00 00 00 00 8d 

J?$V REG.B1NARV 00 00 00 00 be 00 00 00 02 
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What's Inside These Values? 



■ For each user, we have two values... 

"F"- Binary Data 

Last Logon, Account Expires, Password Expiry, etc. 
"V"- Binary Data 

Username, LM Hash Data, NT Hash Data, etc. 




Crowe Horwath. 




A Closer Look At Raw Data 



Raw Data w/ LM & NTLM Data 



000 AAAAAAAAO OBBBBBBBB 00000 



Raw Data w/ just NTLM Hash Data 



000000 0BBBBBBBB0 00000000000 
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Registry Extraction Tools 



Metasploit Hashdump Script 
Creddump 
Samdump2 
Cain and Able 
Pwdump7 
■ FGDump3.o 
Others 
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Current Parsing Logic 




OFFSET 




H DAT/ 



LM&NTLM lfsize> 40 bytes: 



NTLM 



None 
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The u Flav 
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Remember these? 



Via Registry (Metasploit) 

LM: 450oa2ii5ce8e23a99303f76oba6cc96 
NTLM: 5Cobdi65cea577e98fa923o8f996cf45 

Via Injection (PwDump6) 
LM: aad3b435b5i404eeaad3b435b5i404ee 
NTLM: 5fibec25dd42d4ii83dof45obf9bid6b 
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The "Flaw" 



OFFSET 



ASH DATA 




DATA++ 



LM&NTLM lfsize> 40 bytes: 



MTI IV/I 
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The "Flaw" 



BAD 



000 AAAAAAAAO OBBBBBBBB 00000 



000000 OBBBBBBBB 0000000000000 
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Root Cause? 



How do we get "DATA++"? 
OFFSET HASH DATA 



DATA++ 



■ 



By following Microsoft best practices 
Set Password History 
No LM Hashes 
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Raw Look at U V" Data Structure 



HK E Y_LO C AL_MAC H I N E \ aarri\ sam\ doma i n s \ ac c ou nt \ u s e r s \ 3 ed 

F REG_BINARY 020001 0000000000000000000000000000000000000000001C6 1A42C 

0F5ACD0 10000000 00 00000 0OA4CE64 64 OE5ACD01ED030 00001 02000 01002 00000 00000 0002000000 
0000000000000000008444 00 

V REG_BINARY OOOOOOOOD400000002 000100D4 0O0OO0OAOO0O0OO0O0OO0OEOO0O0OO 

0A0OO0O0OO0O0OO0ECOO0O0OO0O0OO0O0OO0O0OOEC0OO0O0OO0O0OO0O0OO0O0OECO0OO0O0OO0O0OO 
0O0OO0O0EC0O0OO0O0OO0O0OO0O0OO0OECO0O0OO0O0OO0O0OO0O0OO0ECOO0O0OO0O0OO0O0OO0O0OO 
EC0O000 000 00 000 00 00000 0OEC00O0 000000000000 000 0O0EC0O0O00 1500 0O0OA6O0O0 0004010000 
08 00000001 0O0OO0OCO1 00001400000000000000200 10000 14 000000000000003401000094000000 
00 00000 Oca 01 000 0940000 00000000000 1001480B4 000 0O0C4 00000 01400 00004400000002003000 
0200000002CO 14004400050 ] ^ ininr,r,nnnnn ™ ni HQ 00000002C01400FFFFI ^ nnrt 1 ni "^^"^^^5 

07000000020070000400000 I M HASH -Oioooooooooooioooo kit HASH DATA 10 

01020000000000052000000 '07 OF0001 02000 00000 )0 

0000240044 0002000105 00000 00 OOC0#SI"EAOO 000 3FAD1462235F636B07E53B2BED0300 000 1020000 
000000052000000 02 002 00 00010200 000000000520000 00020 0200007400 6500730074 0032000000 
7 4 006500 7 3 007400320001 0OFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5B3E6 8 01020000 
07 00000 00100 01009AC412C7DA10C7 88 963DF9DF7E6B5EF40100010 0BOFD8B04845B3E6836EC62ED 
D3EC84CA0100 010 015F478COD71D99AB56AB61F0 921DEOEF9C21D09 6BE07202EDF579D32EF31DF17 
8E47CFC180A85D5 0451DBBCD73DB89F3E81DC94 9 89A51D23610F866 9762EBFD5DF73B4 0F40B95683 
5E957l9EOCl8D4B27CAC2754CA8 07AD8l8CB4C2 7 67 7A5262lBAOA5AFBeCAA34AC3DFCDA8054B9395 
14CD7E8A5184 02 2 0C7ElAF65C08 65C0ir * 18 1584F4E2D0 652C0 10001 00300 77263 

8DEB345B51FF5B0CCAO123BB9B5C2 7 9A' DATA++ 38434 88CD9682 64658 858D55 6 0A2 04 7DB 

06FC112 69C82 6D74B1EA6C1F2B6293F9^ ^lCO 9 1EDDC0C054E6A4 788 10 65C4F38C5C 

F8 887 81246B8 87 6 9BCE6E0 8E3ADBC0 6193EF25OEC437 75CBA5AE558A44F8 74 84AED9BE0B734 64DCD 
A257CC67 
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How often does this occur? 



Newer OS's do not store LM 

Windows Vista and newer 

LM can be disabled by a proactive Sysadmin 
Password histories set through GPO 
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In an ideal world. 



We would want... 
LM Exists? 
NTLM Exists? 

Parse correct hash data 100% of the time 
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Raw Look at U V" Data Structure 



hke y_ldcai_kacb ine\ .Sdffj\ smA domains \ account \U! 
F REG BINARY 020 100 000 000 1 



sc-rsAOOOOO 
OOOOQOOOQQ 



3ed 

000 0000Q 0000 0000 1C61A4 2C 



0F5ACD0 10OOO00OOO00OOO00A4CE646^ ni: ' £;an ' riri 1 ™ n 5 000 102 00 1 02C"^ n r,r,nn n nfJOO 2000 00 
0000000000000000008.44400 i iv/i MT 



oao o ooo o o ooo o o ooeco ooo o o ooo o o ooo u WEAEDtERu oooo oo ooo oo ooo uHlaAJDERu oooo ooooo ooo 

00 000 OECOO 000 000 000 000EC000 000 000 000 0OOICOOOO OOOOO 0000 OOOOO 00 
ICO 000 000 000 000 OECO 000 000 000 000 OECOO 00 15 0000 OOA80 0000 40 10 00 
03 000 100 0OOOC0 100 14000 000 000 020 01 OOOO 140000 000 0000 03401 0000 9 4000 00 
00 000 OC801 0084 000 00 000 000 01 00149 034 000 OC400 0014 0000 0440 0000 2003 00 
02 000 2C0 14 0044 005 O^ 1 "' ; "0 000 2C0 14 OOFFFF lF n ^ " ' 

07000000020070000400000 LM HASH o:oooooooooooiooooo( NT HASH DATA 

01020000000000052000000 .-' 0F0 102 000 000L 

00 240 04 400 02 000 1 500 000 OOOIMT$00 03FABl4622 35F6 3 630 7E5332BED0 3 OOOOO 1020 00 
00000005200000002002000001020000000000052000000 020020000740065007300740032000000 
740065007300 74 0032 0001 0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5B3E68 1020 00 
07 000 0100 01009AC412c7DAlOc788 9 6 3DF9DF7E6B5EF4 0100 0i0030FD930 4G45B3E69 3 6EC62ED 
D3ECe4CA0100 010015F478COD7lD9 9AB56AB6lF092lDEOEF9C2lD0 96BE07202EDF57 9D32EF3lDFl7 
9E47CFC19 0A95D5045 1D3BCD7 3DBfl 9F3E9 1DC94 989A5 1D2 36 1QF96 6976 2EBFD5DF7 3B40F4 0B956 63 
5E95 7 19E0Cl8D4B27CAC2754CA8 07AD8i9C34c2 7 677A5262lBAOA5AF3flCAA34AC3DFCDA8 5439 3&5 
14CD7E8A5184 02 2 0C7ElAF6 5C08 6 5COir ^ 1 B1594F4E2D0652C0 10 0100 3 00772 63 

8DEE3 4595lFF5B0CCA0123BB9'35c2 7 9A4 DATA++ 9 43499CD9 6 6264 6 5635flD5560A2 047DB 
06FCll2 69c82 6D743lEA6ClF23629 3F99^^-.^u^_^^^^^lC09lEDDC0c054E6A478ai065c4F38c5C 
F3flfl7 8124 638fl7 693CE6EOflE3ADBC0619 3EF250EC4 37 7 5C9A5AE55eA44Fe749 4AED9BE037 3^64Dt:D 
A257CC67 



V 



REG 



BIHARY 




OOEOOOOOOO 
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A Different Approach 



"V" hash 4 byte headers for LM & NTLN 
0x4 (4 bytes) = Hash Not Present (false) 
0x14 (20 bytes) = Hash Present (true) 

No more guessing! 
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A Different Approach 



OFFSET HASH DATA DATA++ 



LM & NTLM 



NTLM 




None 
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A Different Approach 



BAD LOGIC 

. . . 0000AAAAAAAA0000BBBBBBBB00000 
. . . OOQO[oOOOBBBBBBBBOOOOOOOOOOOOO 

GOOD L OGIC 

. . . 0000AAAAAAAA0000BBBBBBBB00000 

. . . OOOOOOOOBBBBBBBBOOOOOOOOOOOOO 
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Why are all the 
tools broken? 
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Who's Patient Zero? 



pwdump 









samdump2 



Cain & Able Creddumc 




etasploit 
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Tool Timeline 



Pwdump v. 1 



FGDump 
v. 3.0 



Cain & Abel Creddump Pwdump7 

v. 2.7.4 v - °-i v. 7.1 

Samdump2 
Samdump2 v. 1.1.1 

v. 1.0.1 



MSF 
Hashdump 



3/24/1997 



3/28/04 7/9/05 n/21/07 12/30/09 ii/9/ii 

2/20/08 3/io/io 
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Take Away 



Reverse engineering is hard 
Exhaustive testing is time consuming 

Leveraging code is helpful 
Fully reusing code is not always good 

Open source let's others learn and help fix! 
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Demonstration 
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Patches!!!! 
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Patches 



AAMCULCU lUUlo 


Dptrhprl? 


Creddump 


Yes 


Metasploit's Hashdump Script 


Yes 


LOphtcrack 


Working with Author(s) 


Pwdump7 


Working with Author(s) 


FGDump3.0 


Working with Author(s) 


Samdump2 


Fixed in v 1.1.1 


Cain & Abel 


Working with Author(s) 
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Questions? 
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